b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits and Inspections\n\n\n\n\nEvaluation Report\nThe Federal Energy Regulatory\nCommission\'s Unclassified Cyber\nSecurity Program - 2011\n\n\n\n\nOAS-M-12-01                        November 2011\n\x0c                                  Department of Energy\n                                    Washington, DC 20585\n                                       November 15, 2011\n\n\nMEMORANDUM FOR THE CHAIRMAN, FEDERAL ENERGY REGULATORY\n               COMMISSION\n\n\n\nFROM:                    Rickey R. Hass\n                         Deputy Inspector General\n                            for Audits and Inspections\n                         Office of Inspector General\n\nSUBJECT:                 INFORMATION: Evaluation Report on "The Federal Energy\n                         Regulatory Commission\'s Unclassified Cyber Security Program - 2011"\n\nINTRODUCTION AND OBJECTIVE\n\nThe Federal Energy Regulatory Commission (Commission) is an independent agency within the\nDepartment of Energy responsible for regulating the Nation\'s oil pipeline, natural gas,\nhydroelectric and wholesale electric industries. The Commission relies on a wide range of\ninformation technology (IT) resources in achieving its mission of assisting consumers in\nobtaining reliable, efficient, and sustainable energy services. As highlighted by cyber attacks at\nvarious Federal entities over recent years, malicious individuals continue to take advantage of the\nchanging information security threat landscape and exploit vulnerabilities in IT resources that\nhave not been remediated. To help protect against cyber security threats such as these, the\nCommission estimated that it would expend approximately $3.8 million during Fiscal Year (FY)\n2011 to secure its IT assets.\n\nThe Federal Information Security Management Act of 2002 (FISMA) established requirements\nfor Federal agencies related to the management and oversight of information security risks and to\nensure that IT resources were adequately protected. As directed by FISMA, the Office of\nInspector General conducted an independent evaluation of the Commission\'s unclassified cyber\nsecurity program to determine whether it adequately protected data and information systems.\nThis report presents the results of our evaluation for FY 2011.\n\nRESULTS OF EVALUATION\n\nThe Commission had taken actions to improve its cyber security posture and mitigate risks\nassociated with certain issues identified during our FY 2010 evaluation. While these measures\nare noteworthy, our current evaluation disclosed that additional action is needed to further\nprotect information systems and data. In particular, we continued to identify weaknesses related\nto the Commission\'s timely remediation of software vulnerabilities. Specifically, our testing\nfound that additional opportunities existed for the Commission to ensure that all servers and\nworkstations were patched in a timely manner.\n\nThe problems we identified were due, in part, to less than fully effective implementation of cyber\nsecurity policies and procedures. In particular, Commission officials informed us that they did\n\x0c                                                 2\n\n\nnot follow existing Vulnerability Management Program (VMP) policies due to budget and\nresource constraints. Although the Commission continued to make progress in improving its\ncyber security posture, additional actions are needed to further reduce the risk to the agency\'s\ninformation systems and data.\n\nThe Commission had taken actions to improve its cyber security posture and mitigate risks\nassociated with certain issues identified during our FY 2010 evaluation. For example the\nCommission had updated its incident response process to help ensure that all incidents were\nreported to the Department of Energy Cyber Incident Response Capability within established\ntimeframes. In addition, it utilized its VMP to help identify vulnerabilities in unclassified\nnetwork systems, including servers, workstations, applications, and network and security\ndevices. Finally, officials continued to perform regularly scheduled scans of networks,\nworkstations and web applications. These actions are positive; however, additional effort is\nneeded. As such, we recommended that the Commission ensure that existing vulnerability\nmanagement procedures are fully implemented.\n\nDue to security considerations, information on specific vulnerabilities has been omitted from this\nreport. However, management was provided with detailed information regarding identified\nvulnerabilities, and in certain instances, had initiated corrective action.\n\nMANAGEMENT REACTION\n\nManagement concurred with the report\'s recommendation and disclosed that it had initiated\nactions to address the issues identified in our report. Management\'s comments are included in\ntheir entirety in Appendix 3.\n\nAttachment\n\ncc:   Deputy Secretary\n      Associate Deputy Secretary\n      Executive Director, Federal Energy Regulatory Commission\n      Chief of Staff\n\x0cEVALUATION REPORT ON THE FEDERAL ENERGY REGULATORY\nCOMMISSION\'S UNCLASSIFIED CYBER SECURITY PROGRAM - 2011\n\nTABLE OF\nCONTENTS\n\n\nThe Federal Energy Regulatory Commission\'s Unclassified Cyber Security Program\n\nDetails of Finding ............................................................................................................................1\n\nRecommendation and Comments ....................................................................................................3\n\n\nAppendices\n\n1. Objective, Scope and Methodology ...........................................................................................4\n\n2. Related Reports ..........................................................................................................................6\n\n3. Management Comments ............................................................................................................7\n\x0cThe Federal Energy Regulatory Commission\'s Unclassified Cyber\nSecurity Program - 2011\n\nProgram Improvements We identified a number of positive aspects related to the\nand Patch Management Federal Energy Regulatory Commission\'s (Commission)\n                     unclassified cyber security program. For instance, we noted that\n                     corrective actions had been taken to address certain issues\n                     identified during the Fiscal Year (FY) 2010 evaluation. We found\n                     that the Commission:\n\n                             \xe2\x80\xa2   Updated its incident response process to help ensure that all\n                                 incidents were reported to the Department of Energy Cyber\n                                 Incident Response Capability within established\n                                 timeframes;\n\n                             \xe2\x80\xa2   Utilized its Vulnerability Management Program (VMP) to\n                                 help identify vulnerabilities for its unclassified network\n                                 systems, including servers, workstations, applications, and\n                                 network and security devices; and,\n\n                             \xe2\x80\xa2   Continued to perform regularly scheduled scans of\n                                 networks, workstations and web applications.\n\n                                                  Patch Management\n\n                          We determined that the Commission significantly reduced the\n                          number of "high risk" vulnerabilities in its information systems\n                          since our prior year review. In preliminary comments on our draft\n                          report, management stated that it had successfully applied over 500\n                          patches to its almost 1,500 servers and workstations during FY\n                          2011; activity covering over 95 percent of total available patches.\n                          Additionally, officials stated that certain patches could not be\n                          applied because they could have had operational impacts.\n\n                          While these are positive results, our testing found that additional\n                          opportunities existed for the Commission to ensure that all servers\n                          and workstations were patched in a timely manner. Specifically,\n                          we noted that 32 of 70 vulnerabilities we identified were rated\n                          "high risk" by the vendor and/or the National Vulnerability\n                          Database sponsored by the Department of Homeland Security\'s\n                          National Cyber Security Division. While 9 of the issues identified\n                          impacted a significant number of the 45 servers and/or 236\n                          workstations tested, the remaining 23 were confined to small\n                          subset of those devices.\n\n                          The vulnerabilities we observed were primarily associated with\n                          third-party productivity and internet applications. Affected\n\n\n\n\nPage 1                                                                    Details of Finding\n\x0c                        systems included servers and workstations utilized by financial\n                        application users and system administrators with privileged levels\n                        of access to financial systems and general support systems. All of\n                        the "high risk" vulnerabilities identified were more than 30 days\n                        old, including 18 that were missing patches more than 1 year old.\n                        Furthermore, we identified several instances where the\n                        Commission was using software that was no longer supported by\n                        the vendor. As noted by the National Institute of Standards and\n                        Technology, proactively identifying and remediating system\n                        vulnerabilities can reduce or eliminate the potential for exploitation\n                        and involves considerably less time than responding to an exploit.\n\nCyber Security Policy   The problems we identified were due, in part, to less than fully\nImplementation          effective implementation of cyber security policies and procedures.\n                        In particular, Commission officials informed us that they did not\n                        follow their existing VMP policies due to budget and resource\n                        constraints. As such, the identified "high risk" vulnerabilities on\n                        network server and workstation systems had not been remediated\n                        in a timely manner. While there are many nuances that must be\n                        considered when managing the use of existing resources, it is\n                        important to ensure that "high risk" vulnerabilities such as those\n                        identified during our review receive adequate attention and are\n                        addressed in a timely manner.\n\n                        In addition, although the Commission had identified and tracked\n                        the vulnerabilities found during our testing in its Vulnerability\n                        Tracking Tool, officials had not followed the remediation\n                        timeframes required by its VMP procedures. For example, the\n                        VMP required that "high risk" vulnerabilities be remediated within\n                        30 days. However, our testing found that each of the identified\n                        "high risk" weaknesses had significantly exceeded the prescribed\n                        timeframe for remediation.\n\nRisk to Commission      Although the Commission continued to make progress in\nSystems and             improving its cyber security posture, additional actions are\nInformation             needed to further reduce the risk to the agency\'s information\n                        systems and data. In particular, network servers and workstations\n                        running applications that were missing security updates for known\n                        vulnerabilities or were no longer supported by the vendor were at a\n                        heightened risk for malicious attacks that could result in the\n                        compromise of vulnerable systems. For example, an attacker\n                        could exploit the vulnerabilities to gain unauthorized access to\n                        systems, applications and sensitive data, including financial\n                        systems and data, which could disrupt normal business operations\n                        or have negative impacts on system and data reliability.\n\n\n\n\nPage 2                                                                   Details of Finding\n\x0c                 Additionally, workstations were at risk for computer viruses and\n                 other malicious vulnerability exploits that could provide attackers\n                 with complete control of those systems, and other devices residing\n                 on the internal network.\n\nRECOMMENDATION   To correct the weaknesses identified in this report and improve the\n                 effectiveness of the Commission\'s unclassified cyber security\n                 program, we recommend that the Executive Director, Federal\n                 Energy Regulatory Commission, take the following action:\n\n                      \xe2\x80\xa2 Fully implement existing vulnerability and patch\n                        management procedures to ensure that security\n                        vulnerabilities are remediated and verified in a timely\n                        manner.\n\nMANAGEMENT       Management concurred with the report\'s recommendation and\nREACTION         commented that it had initiated actions to address weaknesses\n                 identified during our evaluation. In particular, management\n                 commented that it was aware of the vulnerabilities identified\n                 during our review and would resolve them through existing\n                 remediation plans by the end of 2011. In addition, management\n                 stated that it would continue to actively monitor all vulnerabilities\n                 in addition to any new threats identified through the use of security\n                 tools and alerts communicated from external sources.\n\nAUDITOR          Management\'s comments were responsive to our\nCOMMENTS         recommendation. Management\'s comments are included in their\n                 entirety in Appendix 3.\n\n\n\n\nPage 3                                          Recommendation and Comments\n\x0cAppendix 1\n\nOBJECTIVE     To determine whether the Federal Energy Regulatory\n              Commission\'s (Commission) unclassified cyber security program\n              adequately protected data and information systems.\n\nSCOPE         The evaluation was performed between July 2011 and November\n              2011, at the Commission\'s Headquarters in Washington, DC.\n              KPMG LLP (KPMG), assisted the Office of Inspector General\n              (OIG) by performing an assessment of the Commission\'s\n              unclassified cyber security program. Our evaluation also included\n              a review of general and application controls in areas such as\n              security management, access controls, configuration management,\n              segregation of duties, and contingency planning.\n\nMETHODOLOGY   To accomplish our objective, we:\n\n                   \xe2\x80\xa2   Reviewed Federal laws and regulations related to controls\n                       over information technology security such as the Federal\n                       Information Security Management Act of 2002, Office of\n                       Management and Budget Memoranda, and National\n                       Institute of Standards and Technology standards and\n                       guidance;\n\n                   \xe2\x80\xa2   Evaluated the Commission in conjunction with its annual\n                       audit of the Financial Statements, utilizing work\n                       performed by KPMG. OIG and KPMG work included\n                       analysis and testing of general and application controls\n                       for the network and systems and review of the network\n                       configuration;\n\n                   \xe2\x80\xa2   Reviewed the overall unclassified cyber security program\n                       management, including the Commission\'s policies,\n                       procedures and practices;\n\n                   \xe2\x80\xa2   Held discussions with Commission officials and reviewed\n                       relevant documentation; and,\n\n                   \xe2\x80\xa2   Reviewed prior reports issued by the OIG and the U.S.\n                       Government Accountability Office.\n\n              We conducted this evaluation in accordance with generally\n              accepted Government auditing standards. Those standards require\n              that we plan and perform the effort to obtain sufficient, appropriate\n              evidence to provide a reasonable basis for our findings and\n              conclusions based on our audit objectives. We believe that the\n              evidence obtained provides a reasonable basis for our finding and\n              conclusions based on our audit objective. Accordingly, we\n\n\n\nPage 4                                     Objective, Scope and Methodology\n\x0cAppendix 1 (continued)\n\n                    assessed significant internal controls and the Commission\'s\n                    implementation of the Government Performance and Results Act of\n                    1993 and determined that it had established performance measures\n                    for its information and unclassified cyber security program.\n                    Because our evaluation was limited, it would not have necessarily\n                    disclosed all internal control deficiencies that may have existed at\n                    the time of our evaluation. We relied on computer-processed data\n                    to satisfy our objective. In particular, computer assisted audit tools\n                    were used to perform probes of various networks and drives. We\n                    validated the results of the scans by confirming the weaknesses\n                    disclosed with responsible on-site personnel and performed other\n                    procedures to satisfy ourselves as to the reliability and competence\n                    of the data produced by the tests.\n\n                    Management waived an exit conference.\n\n\n\n\nPage 5                                           Objective, Scope and Methodology\n\x0cAppendix 2\n\n                                     RELATED REPORTS\n\n\xe2\x80\xa2   The Federal Energy Regulatory Commission\'s Unclassified Cyber Security Program \xe2\x80\x93 2010,\n    (OAS-M-11-01, October 2010). The Federal Energy Regulatory Commission (Commission)\n    had taken actions to significantly improve its cyber security posture and mitigate risks\n    associated with each of the four weaknesses we identified during our Fiscal Year (FY) 2009\n    evaluation. However, additional action was needed to improve protection of information\n    systems and data. Specifically, we found that security patches needed to resolve known\n    vulnerabilities discovered during regularly scheduled scans were not applied to all\n    workstations in a timely manner. In addition, even though officials had established an\n    automated mechanism for tracking all known vulnerabilities, only 10 percent of the identified\n    "high risk" vulnerabilities were actually being tracked. The problems we identified with the\n    Commission\'s unclassified cyber security program were due, in part, to the less than fully\n    effective implementation of policies and procedures. As such, the risk to the agency\'s\n    information systems and data remained higher than necessary. Management concurred with\n    the report\'s recommendations and commented that it had initiated actions to address\n    weaknesses identified during our evaluation.\n\n\xe2\x80\xa2   The Federal Energy Regulatory Commission\'s Unclassified Cyber Security Program \xe2\x80\x93 2009,\n    (DOE/IG-0830, October 2009). The Commission had taken steps to improve its unclassified\n    cyber security program; however, additional actions were necessary to help ensure the\n    networks, systems and data were adequately protected against increasingly sophisticated\n    cyber security attacks. These problems occurred, at least in part, because the Commission\n    had not developed policies and procedures to address all Federal requirements pertaining to\n    information security. In addition, officials had not always effectively implemented existing\n    policy and/or corrected previously observed weaknesses. The Commission\'s Plan of Action\n    and Milestones process for addressing cyber security weaknesses did not include all\n    information necessary to ensure effectiveness. Absent improvement, the risk to the agency\'s\n    information systems and data remains higher than necessary. Management concurred with\n    the report\'s recommendations and commented that it had initiated or already completed\n    actions to address weaknesses identified during our evaluation.\n\n\xe2\x80\xa2   The Federal Energy Regulatory Commission\'s Unclassified Cyber Security Program \xe2\x80\x93 2008\n    (DOE/IG-0802, September 2008). While the Commission had taken action to improve its\n    unclassified cyber security program, our evaluation disclosed that additional actions were\n    needed to reduce the risk of compromise to business information systems and data to an\n    acceptable level. These problems existed because the Commission had not fully developed\n    or implemented all current Federal cyber security requirements. In response to our inquiries,\n    management stated that due to the recent departure of a large number of information\n    technology staff, insufficient attention had been given to ensuring that existing policies and\n    procedures were implemented. We made several recommendations designed to assist in\n    achieving this goal. Management concurred with the report\'s recommendations and stated\n    that measures were being taken to ensure that issues identified in our report were being\n    addressed.\n\n\n\n\nPage 6                                                                          Related Reports\n\x0cAppendix 3\n\n\n\n\nPage 7       Management Comments\n\x0c                                                                   IG Report No. OAS-M-12-01\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n                             Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Felicia Jones at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                    http://energy.gov/ig\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'